Lecture 4

Network Exploitation - nmap and Metasploit

Network Recon

Finding a target device to attack depends on the hacker’s objectives and may be opportunistic or targeted.

Either way, the first step in remote exploitation is to discover the target and gather After all, one cannot exploit a host that does not exist! The next step consists of gathering public information about the target, including what ports are open and which applications are available over the network.

IP Addresses

Recall an IPv4 address is specified by 4 bytes (32 bits), constituting an integer value between 0 and 2^32-1. Typically an IP address is written as four base-10 octets UUU.VVV.WWW.XXX where UUU, VVV, WWW, and XXX are in the range 0..255. For example, the IP address of uwo.ca is 129.100.0.79. The University of Western Ontario, however, administers many hosts… an entire network in fact.

Class A: A network specified by the top byte (8 bits), i.e., the range UUU.0.0.0 to UUU.255.255.255

Class B: A network specified by the top two bytes (16 bits), i.e., the range UUU.VVV.0.0 to UUU.VVV.255.255

Class C: A network specified by the top three bytes (24 bits), i.e., the range UUU.VVV.WWW.0 to UUU.VVV.WWW.255

We can use the CIDR notation to specify a network range. An IP range in this notation has the form UUU.VVV.WWW.XXX/YY where YY is an integer in the range 0..32 specifying how many of the top bits of the IP address are fixed.

Here are some examples:

129.100.0.79/24 would specify the class C network that uwo.ca is on.

129.100.0.79/16 would specify the class B network that uwo.ca is on.

129.100.0.79/32 would specify the the single host that uwo.ca resolves to

Whois

Suppose a penetration tester is hired to perform an evaluation of a The University of Western Ontario. The permission to conduct this evaluation (if it were for real) would obviously exist between the tester and Western, so the tester would first want to confirm which IP addresses belong to Western.

They can start by gathering basic public information about the domain uwo.ca from the ARIN:

Next the tester should confirm the IP range owned by Western. This is crucial for the tester not only to narrow their search space, but also to ensure they do not try to hack into a host without permission. Even if the company states its IP range in the contract, the tester would want to confirm it.

The tester might first seek to determine the IP address of the company’s main website:

Here we see Western owns a class B network consisting of IPs in the range 129.100.0.0 to 129.100.255.255. We also see that Western registered uwo.ca in 1987, several years before the web was even invented! Of course they were actively using email and FTP and other early internet services.

Ports

A port is a software abstraction
Just as IP addresses are used to identify machines on a network, ports identify specific applications running on a machine.

Ports can range in value from 1 to 65535

Reserved Ports

Ports in the range 1 to 1023 are reserved ports, and Unix systems require applications have root privileges to bind to these ports. This gives visitors to a site some assurance they are connecting to a valid system service initiated by the system administrator, and not some unprivileged user. For example, the typical port for ssh is 22.

nmap

nmap is a well known network scanning tool for discovering hosts and services. It has a wide range of scanning methods and plugins.

Passive Host Discovery

Passive scans are a good place to start gathering basic information about a host. They have the of benefit of being stealthy as they do not contact the host.

Using nmap you can use the -sL “list scan” option to do reverse-DNS lookups on neighboring IP addresses. For example:

$ nmap -sL www.uwo.ca/24

will tell you the host names of all the hosts on the class A network shared by uwo.ca. This will potentially allow us to discover interesting host names, such as this one:

Nmap scan report for owl.uwo.ca (129.100.0.33)

Active Host Discovery

Active scans are less stealthy than passive scans since they actually directly contact the host. This however allows you to gain more information that you could with a passive scan alone, such as if the host is even currently online.

The IANA maintains a number of special use domains for the purposes of basic illustrative examples in documents. One such domain is example.com, which you can use to provide another concrete example of nmap’s basic use:

Port Scanning

Port scanning can used to gain information about what kinds of software and services might be available on a host. Without specifying any options, nmap will do an initial host discovery followed by a basic port scan,

Similarly you can use this command to discover hosts and services on your home network, substitute your internal network IP range. First you need to find your own device’s IP address, which you can do in a terminal:

Here our IP address is 192.168.1.3 so we can proceed to scan the home network, i.e. 192.168.1.0 to 192.168.1.255 using any number of equivalent commands including:

nmap 192.168.1.0/24
nmap 192.168.1.3/24
nmap 192.168.1.*

The -sV option performs version detection of the services. This doesn’t always work, especially if the sys admins have taken steps to obfuscate it. In other cases we can learn which server version and OS the target is running. For example, we see eng.uwo.ca is running Windows:

The -A option prints a more detailed information about services, and used with the -sS option it can be reasonably fast. Metasploitable for example is made purposefully vulnerable to facilitate pen-testing education). For example, this would reveal that it is running Ubuntu on Apache 2.2.8:

Metasploit and Metasploitable

Metasploit is a customizable exploitation framework for penetration testing. It provides a (somewhat) easy to use interface for managing and deploying exploits.
Metasploitable is an intentionally vulnerable version of Linux which allows us to explore exploitation techniques in a sandboxed environment.

Virtual Pen-Testing Lab

We begin downloading Metasploitable 2 (about 800MB) and Kali Linux Virtual Box image. Next we configure them to use an internal (virtual) network.

Step 2: Port Scanning

Next we can scan 192.168.1.2 to explore its port configuration. In particular we’d like to get a little more detailed information about what application versions are running so we’ll use the -sV option.

Metasploitable is configured to have many ports open (to allow many possible avenues for exploitation). In particular we notice port 139 is running Samba 3.X. Interesting. You look up Samba on Wikipedia and read that:

Some versions of Samba 3.6.3 and lower suffer serious security issues which can allow anonymous users to gain root access to a system from an anonymous connection.

Step 3: Exploit

Initialize the Metasploit database and start the msfconsole:

$ service postgresql start
$ msfdb init
$ msfconsole

Next check to make sure that the database has connected. Typing:

msf > db_status

Should return:

[*] postgresql connected to msf3

The first time you run Metasploit, you should build the database cache to allow for faster searching:

msf > db_rebuild_cache

This may take 5-10 minutes, so grab a coffee, and restart msfconsole when you come back.

Step 4: Payload

Now that the exploit is configured and ready, the final step is to specify the payload, i.e., the malicious code we wish to deliver via the exploit. We need to see which payloads are compatible by typing:

msf > show payloads

to receive a list. We’re going to use a netcat based reverse TCP shell: